CVE-2003-1564

libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack."

CVSS v3 6.5 MEDIUM
CVSS v2.0 9.3 HIGH

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

9.3^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://mail.gnome.org/archives/xml/2008-August/msg00034.html	Mailing List Patch
http://secunia.com/advisories/31868	Broken Link
http://www.reddit.com/r/programming/comments/65843/time_to_upgrade_libxml2	Issue Tracking
http://www.redhat.com/support/errata/RHSA-2008-0886.html	Broken Link
http://www.stylusstudio.com/xmldev/200302/post20020.html	Broken Link
http://xmlsoft.org/news.html	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*

History

02 Feb 2024, 14:10

Type	Values Removed	Values Added
CPE	cpe:2.3:a:xmlsoft:libxml2:2.3.12:::::::* cpe:2.3:a:xmlsoft:libxml2:1.8.2:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.25:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.10:::::::* cpe:2.3:a:xmlsoft:libxml2:2.3.14:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.9:::::::* cpe:2.3:a:xmlsoft:libxml2:2.3.4:::::::* cpe:2.3:a:xmlsoft:libxml2:2.2.7:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.2:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.27:::::::* cpe:2.3:a:xmlsoft:libxml2:1.7.3:::::::* cpe:2.3:a:xmlsoft:libxml2:2.3.1:::::::* cpe:2.3:a:xmlsoft:libxml2:2.2.8:::::::* cpe:2.3:a:xmlsoft:libxml2:2.2.11:::::::* cpe:2.3:a:xmlsoft:libxml2:2.2.1:::::::* cpe:2.3:a:xmlsoft:libxml2:1.7.4:::::::* cpe:2.3:a:xmlsoft:libxml2:2.3.2:::::::* cpe:2.3:a:xmlsoft:libxml2:1.8.3:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.17:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.14:::::::* cpe:2.3:a:xmlsoft:libxml2:1.8.9:::::::* cpe:2.3:a:xmlsoft:libxml2:2.3.5:::::::* cpe:2.3:a:xmlsoft:libxml2:2.2.3:::::::* cpe:2.3:a:xmlsoft:libxml2:1.7.1:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.11:::::::* cpe:2.3:a:xmlsoft:libxml2:1.8.16:::::::* cpe:2.3:a:xmlsoft:libxml2:2.3.9:::::::* cpe:2.3:a:xmlsoft:libxml2:2.2.0:beta:::::: cpe:2.3:a:xmlsoft:libxml2:1.7.0:::::::* cpe:2.3:a:xmlsoft:libxml2:2.3.8:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.7:::::::* cpe:2.3:a:xmlsoft:libxml2:1.8.6:::::::* cpe:2.3:a:xmlsoft:libxml2:2.3.3:::::::* cpe:2.3:a:xmlsoft:libxml2:2.3.10:::::::* cpe:2.3:a:xmlsoft:libxml2:1.8.1:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.28:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.19:::::::* cpe:2.3:a:xmlsoft:libxml2:2.3.0:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.18:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.1:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.16:::::::* cpe:2.3:a:xmlsoft:libxml2:2.1.0:::::::* cpe:2.3:a:xmlsoft:libxml2:1.8.13:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.12:::::::* cpe:2.3:a:xmlsoft:libxml2:1.8.5:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.15:::::::* cpe:2.3:a:xmlsoft:libxml2:1.8.4:::::::* cpe:2.3:a:xmlsoft:libxml2:2.0.0:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.24:::::::* cpe:2.3:a:xmlsoft:libxml2:2.5.0:::::::* cpe:2.3:a:xmlsoft:libxml2:2.3.6:::::::* cpe:2.3:a:xmlsoft:libxml2:2.1.1:::::::* cpe:2.3:a:xmlsoft:libxml2:2.2.9:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.30:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.6:::::::* cpe:2.3:a:xmlsoft:libxml2:2.2.0:::::::* cpe:2.3:a:xmlsoft:libxml2:2.2.4:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.22:::::::* cpe:2.3:a:xmlsoft:libxml2:1.8.7:::::::* cpe:2.3:a:xmlsoft:libxml2:2.3.7:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.4:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.8:::::::* cpe:2.3:a:xmlsoft:libxml2:1.7.2:::::::* cpe:2.3:a:xmlsoft:libxml2:2.2.2:::::::* cpe:2.3:a:xmlsoft:libxml2:2.2.5:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.26:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.21:::::::* cpe:2.3:a:xmlsoft:libxml2:1.8.10:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.3:::::::* cpe:2.3:a:xmlsoft:libxml2:2.3.11:::::::* cpe:2.3:a:xmlsoft:libxml2:1.8.14:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.23:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.29:::::::* cpe:2.3:a:xmlsoft:libxml2:2.3.13:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.20:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.5:::::::* cpe:2.3:a:xmlsoft:libxml2:2.2.10:::::::* cpe:2.3:a:xmlsoft:libxml2:2.4.13:::::::* cpe:2.3:a:xmlsoft:libxml2:1.8.0:::::::* cpe:2.3:a:xmlsoft:libxml2:2.2.6:::::::*	cpe:2.3:a:xmlsoft:libxml2::::::::
References	~~() http://mail.gnome.org/archives/xml/2008-August/msg00034.html -~~	() http://mail.gnome.org/archives/xml/2008-August/msg00034.html - Mailing List, Patch
References	~~() http://secunia.com/advisories/31868 -~~	() http://secunia.com/advisories/31868 - Broken Link
References	~~() http://www.reddit.com/r/programming/comments/65843/time_to_upgrade_libxml2 -~~	() http://www.reddit.com/r/programming/comments/65843/time_to_upgrade_libxml2 - Issue Tracking
References	~~() http://www.redhat.com/support/errata/RHSA-2008-0886.html -~~	() http://www.redhat.com/support/errata/RHSA-2008-0886.html - Broken Link
References	~~() http://www.stylusstudio.com/xmldev/200302/post20020.html -~~	() http://www.stylusstudio.com/xmldev/200302/post20020.html - Broken Link
References	~~() http://xmlsoft.org/news.html -~~	() http://xmlsoft.org/news.html - Release Notes
CWE	~~CWE-189~~	CWE-776
CVSS	v2 : ~~9.3~~ v3 : ~~unknown~~	v2 : 9.3 v3 : 6.5

Information

Published : 2003-12-31 05:00

Updated : 2024-02-02 14:10

NVD link : CVE-2003-1564

Mitre link : CVE-2003-1564

CVE.ORG link : CVE-2003-1564

JSON object : View

Products Affected

xmlsoft

libxml2

CWE

CWE-776

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

6.5 /10